Why Was the WannaCry Attack Such a Big Deal?

Can we discuss for a moment that our hero was doxed by british tabloids? Real shitty way to treat someone who prevented extreme infrastructure damages.

The guy who stopped it wasn't anonymous for long. He tweeted about how tabloids doxed his friends and blackmailed them to get his address, phone number etc. He said it was the worst experience of his life

adding that kill switch is like mad scientist putting a big self destruct button on a giant evil robot

Microsoft should have said in the update "NSA did a goof, now there's a gaping hole in your security and this update fixes it."

"Cyber-security whack-a-mole." Made my night.

"What operating system does it use?"
"It's... erm... Vista!"
"WE'RE GOING TO DIE!"

I remember when WannaCry hit, I was doing contracted dev work for Telefonica, and they were a real pain to deal with. Got the week off work, 10/10 would recommend.

"Having a kill switch is an amateur mistake": Viruses are usually things you have no control over, releasing a virus is a risk for your own computer as well.

the vast majority of affected users were using Windows 7

Here's the thing though, when software companies consistently release patches or updates that make the software worse for end users, like adding more advertising, placing additional restrictions, changing UI, or generaly pushing unwanted "features" (I'm looking at you, Skype), I can't say I totally blame people for being reluctant to update.

Seems obvious to me that NSA should pay for this, and then some. Teach them to snoop around.

Or, was it Microsoft saying "Hey, Update or else!!!"

Just want to say this....Love you scishow :)

XP wasn't among the infected computers, the only confirmed infections of XP was researchers infecting it by hand. Windows 7 was the main infected OS.
As for the "kill switch" it's most likely a sandbox detection thing, not a killswitch, but it was badly implemented.

And I just clicked "later" on an update as this video was starting 😂

The killswitch exists because in a lot of virtual machines unregistered domain names will return an IP address (and unused local network IP address) so it is used as a method of detecting if the malware has infected a VM system, which is usually not worth encrypting for ransom.

I love the portrayal of the ransom payment system here--it assumes the hacker actually intended to restore anyone's files after they paid.

This has already probably been said, but the prevailing theory on why the kill switch domain was in the code was to make it harder for people to analyse the virus. A general practice in malware analysis is to put the virus in an environment where it cannot do much harm or get out. These environments also usually just respond to any requests the program makes with fake data, so it thinks it is getting out but it is not. The kill switch worked by the thought that if it gets anything back from the fake website, it must be due to it being studied. Obviously this did not work as planned, but that at least says what they wanted to do.

Watched many videos on the WannaCry attack but this one is the best and concise video available on the whole youtube!

Shadow brokers? Didn't know we were in Mass Effect 2.

Wait, Shadow Brokers? You mean, Mass Effect's most infamous information trader is real?

I'm 25th! I'm so happy I wannacry
edit: by 25th I meant 25th comment btw but I appreciate the birthday well wishes. I'll try to remember them when I turn 25.

For anyone wondering, the suspected reason for the inclusion of a killswitch was an attempt to delay people trying to crack Wannacry's code. From what I have read, when the virus is loaded into a simulator, the gibberish URL would read as registered and then immediately pull out of that system so that the virus could not be "tested". However, since they hardcoded the URL, it was much simpler to just register that URL so that it would keep pulling out of any system it infects.

I always update and backup almost everything I have on my PC.
Gotta keep my memes safe!

seems like wanna cry was a distraction, but could've been something a lot more... troublesome.

thx for another gr8 vid john green

I'm late to watching this video, but I just wanted to comment and say thank you for the explanation that was easy to understand. I don't know much about computers, but you explained this in a way that I could grasp.

I was reading on Ars Technica that Xp wasn't an infection vector for the attack because in XP the attack on the SMB caused the system to crash before the files could be encrypted. This overwhelmingly affected windows 7. 10 was never vulnerable to the SMB issue afaik.

It was actually not entirely true. The number of Windows XP computers affected by WCry was very very low. It would simply BSOD on them. The bulk of affected computers were running Windows 7 x64 bit.

it is well known why the "kill switch" existed - for vm detection ...and the hackers made $0 from the attack because the bitcions are NOT anonymous

Thanks for the upload

A small hospital near me had to pay the ransom (something like $40,000 USD) because they had no backups they had no choice but to pay

The kill switch system makes sense. They can set up a their local networks to lead to a 'intranet' page whenever that URL is entered from within it. They might have been scared of accidentally infecting themself

To be honest, the only reason I don't update is because sometimes new things are added and maybe new filters on the screen or something is added which I don't want and can't remove. So updating to protect myself from a virus is not worth it if my computer is going to be near unusable in the first place.

i love this dude taught me chemistry on youtube.... great teacher

Thank you, SciShow, for reminding me to update my backups. I'll have to get on that tomorrow.

I wouldn't mind updating if Microsoft didn't hide windows 10 ad generators or spyware programs in the updates

Maybe this was a test?...

thank you for making this

Who knew having my PC disconnected saved me from this ransomware

If the NSA used the exploit, then when it was leaked why didn't they use their resources and update all the machines vulnerable. It's a national agency, they do unconstitutional stuff all the time anyway.

shadow brokers? Mass Effect, anyone?

Thanks again Hank!

THANK YOU SO MUCH! im doing presentation on this soon and this explained everything so much better

2:19 bruh

If someone infects one of my computers with ransom wear, I will just restore one of my older computers in the 3x3x3 computer block of computers behind me...

The kill switch was probably a way for the malware to detect if it was being studied in a lab. This is quite common, malware writers often try to make it so that their malware will behave differently when it is being studied (ie, debugging software, virtual machines etc).

Wannacry was actually somewhat kind to people. They were like in 6 moths they will have an event where you can get your files back if your to poor to buy them back.

3:19 You're welcome in advance.

Windows updates tend to break the OS. I'm never eager to update. EVER.

Greatly done!

The hospital I work in didn't get infected as we use Windows 7 but we shut everything down as a precaution, that caused chaos as we're one of a few NHS trusts to be completely electronic. The hospital I worked in last year got infected as they use operating systems/programs from the late 80's/early 90's in some instances!

We should be mad at the NSA

Lol, it seems like everyone forgets Win8. Still my favorite operating system. After a few slight mods, it runs way better than 7 or 10.

SCISHOW!!!! you always make my day.

I'm pretty sure I've only not heard of this because I don't use windows, one main reason is that it's just like "ok, time to update, I'm closing your stuff, bye, see ya in an hour or two!" And you can't stop it

And this is a clear example of why businesses should update there systems.

There are a few problems with this video. Windows 10 was never in danger. The exploit didn't exist on Windows 10. Also, a security patch (the first in 3 years) was released for Windows XP, despite being out of support. WannaCrypt affected Windows XP, 7, 8, and the related server versions, all of which have now received patches (assuming the update has been installed).

Mass overhauling an os for a large scale is actually incredibly difficult, because doing it all at once can often leave the whole system down and needing to replace large amounts of things all at once and it takes out the operations for way too long. If trying to do it in parts, the parts of the system are usually interconnected, so taking one part offline to change it basically wrecks anything adjacent that relies on it. We had this issue in a big store chain i worked at. Our inventory system was incredibly inefficient and relied solely on human knowledge. We carried a large array of things from just about everywhere, our inventory was different every single day. And i dont just mean season to season, we basically had no set inventory, think thrift store. So if you needed info on an item, you had to call someone who just knew roughly where it belonged to check the prices. People basically generally knew what types of things we carried and what the price was likely to be and how to estimate one if needed. You gained that knowledge simply by working there long enough to get a feel for how we did things. Obviously this was incredibly inefficient and reliant on competent workers. But to overhaul it would have meant changing absolutely everything. The way we sort, how we scan, all our equipment. It was possible to set it up as automatic for sure, but for an extremely busy store in a worldwide company the effort would have been enormous. Basically they decided that having an inefficient human powered system was still cheaper and less hassle than overhauling it.
That's the thing, just because there is a better option, doesn't mean its actually more suited. If all you need is to work with word documents, using a supercomputer isnt actually more useful than an old beat lappy. Yeah, you could make dog leashes out of kevlar sting, but nylon is more than enough. In factories many processes could be done by robots, but they still hire just a ton of people to do rote repetitive tiny work, because, especially for smaller orders its STILL cheaper to just pay people to basically just be a biomechanical arm. Upgrading to win 10 when xp is already doing exactly what you need is a waste of time and resources. Unfortunately stuff like this pops up occasionally.

this made me wanna cry

The kill switch was far from a amateur mistake. It was designed so that when the malware was being studied in a computer laboratory to find out how it worked the worm would instantly realise it was being studied and immediately terminate all of its processes

Plot twist: SciShow launched the attack just to make this video.

thank you scishow

I recently had an IT interview with the NHS, they assured me that it was impossible to hack their systems - I didn't get the job, but I came away laughing at them, not their patients who were the ones who really suffered.

Hey there, SciShow! I have a personal request for the topic of cerebral aneurysms! I experienced a rupture when I 19 and the suddenness and severity of them would make for a good informative video for the public! Thank you!

let me cleat something - in the industry nobody cares about the latest OS if it is practically the same and doesn't bring any benefit for the money paid. the lasers in our factory will forever run on XP, because there is no point in updating it. the software runs perfectly, so why bother?!

Eternal green: *chuckles* ... I’m in danger

now I'm glad that I got the update yesterday.

In MARCH, Microsoft released a patch. Vast majority of machines infected by WannaCry, were Windows 7 machines still supported by Microsoft.
Why is it, people seem to think avoiding patches is a game? Every major computer outbreak in recent times it's the same story, a patch to fix the hole/bug/exploit was released months if not years before the major exploit of it. We've gotten to the point you can no longer blame the software, it's the space between the keyboard and the chair that's the problem. (The User)
To the argument a patch breaking your software, I'd rather deal with a scheduled software break than an unscheduled software attack.

they still havent released a patch for window 95 im pissed.

fast and simple, thanks

Yay you published your vid on my birthday

when did this attack happen exactly?

"Haha take that Windows" said apple looking for its lost 300 dollar earpods

Microsoft actually did release a patch for Windows XP to fix the SMB bug, which kind of surprised all of us in the IT field. But there was a bug in the WannaCry code that actually stopped it from being able to infect XP.
Also the theory about the kill switch is that it was put there in order to help the Malware detect if it was in a sand box, which would mean a security researcher was testing it. Their mistake was to not just randomize the domain name it checks (ie random characters with a .com on the end).

Didn't know this was happening until now

I'm sure thousands of people have said this, but what if they did this on purpose...just to get people to update, and to entice people to CONTINUE to update?
And not for altruistic reasons, I mean for nefarious ones. "Mwahahahaha, we released an update that has taken all of their base, now it will belong to us!"

not for linux or bsd users

As Hank said, all the MRI machines and other such things needed specific software to run and upgrading would cost time and money and require re-calibrating which would've added long waiting times. And the Government didn't give enough funding to NHS IT departments which is so desperately needed.

The "Kill switch" was only used as a way to determine whether it was sandboxed. A sand boxing application would have returned something to the program, so it didn't get suspicious. However, knowing that it was a garbage URL, wannacry would stop in it's tracks, because it would know it was sand boxed. It wasn't a kill switch, but a clever tactic to see if it was running on a live system or sand boxed.

This is NOT TRUE. The NHS was not up and running again within a day of the attack. Staff were sent home for days after because they could not work on the computers.

That URL kill switch was a bait. This was just round one. Prepare for the second wave.

The kill switch was added to check if the malware was run on a simulated network (this is a technique often used in virtual environments by malware analysts to emulate network traffic without actually having to let the malware wander around the internet)

0:49 backups do 999999999999 damage to ransomware

did hank say 'only' about $100,000 that's more than some people make in 2 years

hospitals need to get their computers off of windows

"As long as you haven't rebooted your computer", that's very useful.

I’m a computer gamer...
Who just happened to not be on my computer for 80% of 2017. Including those days.
Wow. Soooo lucky.

*[overeager conspiracy theorist voice]* So NSA did WannaCry. Got it.

Young Brit girl: "I'm on me mum's computer...v-room v-room."
Her mum: "Get off me computer!"
Young girl: "Awwww."

Great stuff from SciShow again. You can learn even more about how to play cyber security whack-a-mole in our new video: ua-cam.com/video/SQlfP5MsktM/v-deo.html

good stuff!

it had to be russia isnt it?

Nope.
Lesson from this story is "Install those Leenuux and never revert to shitty proprietary OS'es again".

I watch this and can't help but recall how old the computer systems are on space stations and such, and it seems...worrisome...to say the least.

At my dad's hospital (he works in IT, and is married to an IG manager) they shut down all of the computers, so they couldn't be infected, but then they still couldn't access the data...

I used Linux.

My girlfriend ransomware. I wannacry

The "killswitch" domain is a pattern used to bypass virus scans. Simply put, it's a way for the virus to know if it is executed by a sandbox (antivirus) or the OS itself. If it's a sandbox (antivirus), the virus doesn't activate and thus, bypasses it.

QUESTION: If I was attacked by a similar ransomware like half a year ago (I use Windows 7 by the way), can I still decrypt my files with those tools?